[00:01.030 --> 00:06.790]  Hi everyone. Welcome to Online Voting Theory and Practice with Porter Adams and Emily Stamm.
[00:06.790 --> 00:09.970]  We're at the DEF CON Crypto Village in August 2020.
[00:11.510 --> 00:15.850]  My name is Porter Adams. I'm a software engineer at Blacktop Government Solutions
[00:15.850 --> 00:20.690]  and founder of Disappear Digital. You can contact me on Twitter at Privacy Porter.
[00:21.250 --> 00:28.470]  I'm Emily. I'm a security research engineer at Allstate. I'm also the COO and co-founder of
[00:28.470 --> 00:34.650]  Cybersecurity Nonprofit or CSNP. And you can find me on Instagram at Crypto.Emily.
[00:37.350 --> 00:41.550]  So our talk outline, we've got three major pieces. We're doing a quick intro now
[00:41.550 --> 00:47.130]  and then I will be talking about the practice of online voting and Emily will talk about the
[00:47.130 --> 00:52.850]  theory of online voting going into homomorphic encryption, mixed nets, and blind signatures.
[00:53.550 --> 00:59.130]  The scope of our talk, so we're talking about online voting. So not all election security,
[00:59.130 --> 01:04.550]  not even all voting, just online voting. So what do I mean by that?
[01:06.850 --> 01:12.350]  So one form of online voting is anything that's called electronic voting or e-voting,
[01:12.350 --> 01:17.530]  and that just refers to something that includes at least some electronics. So in the United States,
[01:17.630 --> 01:23.150]  a lot of our voting systems already use e-voting by having computer screens that you can touch,
[01:23.150 --> 01:30.590]  but e-voting does not necessarily mean all online. Internet voting is what people would
[01:30.590 --> 01:36.650]  think of as like 100% online. Internet voting is when it's all gone fully digital and there's
[01:36.650 --> 01:46.790]  no need for in-person, anything in person. So safety of voting machines, I'm just going to
[01:46.790 --> 01:51.570]  refer you to the DEF CON Voting Village. They do a lot of really great work over there. It's not
[01:51.570 --> 01:55.270]  the focus of our talk. We're going to be talking more about the internet voting side of things
[01:55.270 --> 02:04.190]  and how it would be possible to vote entirely online. So this is the biggest question I get,
[02:04.190 --> 02:10.710]  is why can't we all vote from our phones? And it's a really great question, and so we're going
[02:10.710 --> 02:17.990]  to spend some time explaining the actual reasons why we can't yet. The advantage in why people want
[02:17.990 --> 02:25.630]  to vote from our phones in the first place, the first one is just the convenience factor.
[02:25.630 --> 02:30.710]  It's so much easier if I can sit at home and vote from my phone. It's also especially easier for
[02:30.710 --> 02:36.950]  overseas voters who, if they currently have to vote by mail, that can take a long time for their
[02:36.950 --> 02:44.470]  mail to get in, and their votes may not even be counted by the time. And so it's a lot easier for
[02:45.350 --> 02:52.430]  expats to vote from their phones. It also would hopefully improve voter turnout,
[02:52.430 --> 02:57.110]  because it's a lot less effort to download an app on my phone and click some buttons than it is to
[02:57.110 --> 03:06.070]  show up at the polling station. Less human error. So we all remember the 2000 election with the
[03:06.070 --> 03:11.930]  hanging chads in Florida and not being able to determine which way the votes went. When we vote
[03:11.930 --> 03:18.230]  on a computer it's either 0 or 1, so it's pretty clear and doesn't leave room for human error when
[03:18.230 --> 03:27.390]  filling out the ballot. So let's talk a bit about usability. So even if we had a totally working
[03:27.390 --> 03:32.630]  mobile app that everyone could download and use and it was all safe and private,
[03:32.630 --> 03:38.310]  which are concerns I'll get to later in the talk, in Finland in 2008 they had some issues
[03:38.310 --> 03:46.330]  with the user interface. And what happened was people, when they were going to vote,
[03:46.330 --> 03:50.670]  they would see the screen, they would tap through, click all the candidates they wanted to vote for,
[03:50.670 --> 03:56.810]  but at the bottom of the screen was a submit button, and about two percent of voters did not
[03:56.810 --> 04:03.030]  see the submit button on the screen, and therefore their votes were not counted in the Finland
[04:03.030 --> 04:10.250]  election in 2008. It is a user interface problem that would be a big issue if people tried to vote
[04:10.250 --> 04:16.270]  but mistakenly like didn't hit submit button. It would be a concern even if everything else
[04:16.270 --> 04:23.170]  was safe and secure and working. The other case I want to bring up is Iowa in 2020 at the Democratic
[04:23.170 --> 04:31.490]  Caucus had many problems with their mobile app that they tried to use to help tally up the votes.
[04:31.490 --> 04:36.090]  We can learn a lot of lessons from that, but one I want to highlight is that some people
[04:36.090 --> 04:43.530]  had trouble even downloading the app correctly, and so even again if we had like all the security
[04:43.530 --> 04:49.030]  and privacy stuff worked out, there's still some usability concerns with can people download the
[04:49.030 --> 04:56.610]  app, can people use the app. All of this kind of comes down to like comfort with electronics,
[04:56.610 --> 05:02.770]  which a lot of us have here at like DEF CON, but not everyone else in the world is as comfortable
[05:02.770 --> 05:11.910]  as we are with using these things. So here are some of the big concerns, and security
[05:11.910 --> 05:18.170]  is by far the biggest one. We need to make sure that our election is actually safe.
[05:20.010 --> 05:26.950]  Privacy is making sure like is it possible to even do a secret ballot online, because we all know
[05:26.950 --> 05:31.690]  there's so much tracking and surveillance with what we do online that having actually a private
[05:31.690 --> 05:35.270]  vote would be pretty tough. So I'm going to try and answer both these questions in the remainder
[05:35.270 --> 05:43.190]  of my talk. So first, security isn't safe. There is a huge attack service for anything that's going
[05:43.190 --> 05:48.850]  to be online, some sort of mobile app, and so let's just kind of go quickly over like all the
[05:48.850 --> 05:54.990]  different ways that would need to be like that could be a voting app could be attacked by,
[05:55.510 --> 06:01.890]  and we would need if we wanted to do this in practice to sure up all of these things and make
[06:01.890 --> 06:09.430]  sure that none of these could happen. So if I was a hacker trying to attack a voting app, I could
[06:09.430 --> 06:14.610]  install a backdoor either as you vote on the client side or when the votes are tallied on the
[06:14.610 --> 06:19.990]  server side. I could create an exploit for the voting app itself or for the phone operating
[06:19.990 --> 06:26.550]  system or for the server code a server operating system. I could spy on votes by intercepting the
[06:26.550 --> 06:32.310]  connection maybe with a fake wireless access point or a keylogger on the person's device.
[06:32.370 --> 06:38.690]  There's always social engineering you'd have to worry about with phishing app. Insider threat,
[06:38.690 --> 06:45.670]  whoever like created the code for any of these pieces you have to watch out for and whoever's
[06:45.670 --> 06:52.170]  running the election and then just destructive attacks like a distributed denial of service
[06:52.170 --> 06:57.190]  where the the app just goes down on the day we're all supposed to be voting.
[07:01.710 --> 07:05.830]  Okay so usually when I'm trying to explain all this to someone they always come up with
[07:05.830 --> 07:13.690]  but banks have mobile apps and this is a really smart point and so it's worth addressing why
[07:14.410 --> 07:22.350]  even though banks have mobile apps it's still very tough for a voting system to be on a mobile app.
[07:24.550 --> 07:29.990]  So what's the difference between a voting app and a banking app? First one is identity. When you're
[07:29.990 --> 07:35.110]  banking basically anyone with your credit card info can go online order some stuff on Amazon
[07:35.650 --> 07:41.990]  but when you're voting we need to make sure that it's really only you. In terms of security,
[07:41.990 --> 07:48.470]  banking has the benefit of being able to detect fraud kind of later and afterwards whereas with
[07:48.470 --> 07:54.990]  an election if there's any sort of fraud going on we need to know about it immediately. And privacy
[07:54.990 --> 08:01.030]  is one of the biggest differences where when it's just you and your bank talking and like your bank
[08:01.030 --> 08:06.750]  knows everything and you know all of your own stuff that's fairly easy to figure out just between the
[08:06.750 --> 08:13.170]  two of you. But for voting we all have secret ballots which I'll get to in a little bit. It
[08:13.170 --> 08:18.090]  makes it very challenging for my vote to stay secret while everybody else still trusting that
[08:18.090 --> 08:25.470]  votes were placed correctly. And then lastly trust in banking like it's really just between you and
[08:25.470 --> 08:30.610]  the bank and other accounts like don't really affect you or like other people using your bank
[08:30.610 --> 08:38.110]  versus in a voting system, in a voting app, I need to trust all of the votes from everybody
[08:38.110 --> 08:45.010]  not just my own. And so trust is very different for a voting app.
[08:48.010 --> 08:54.150]  So the privacy challenges specifically of online voting. First you got the secret ballot and so
[08:54.150 --> 09:00.010]  what does that mean? More or less that I need to be anonymous when I vote. So no one should be able
[09:00.010 --> 09:06.250]  to figure out based on like like no one should be able to figure out who I voted for and there
[09:06.250 --> 09:11.290]  shouldn't even be a way for me to prove it to anyone next to each other next to me or around
[09:11.290 --> 09:17.550]  me. So no one can force me to vote a certain way. It's very important for elections. Voter
[09:17.550 --> 09:23.350]  registration is not exactly a privacy challenge. It's like an identity thing but it's going to be
[09:23.350 --> 09:30.530]  kind of related so I include it here. Voter registration, it needs, I need to be very sure
[09:30.530 --> 09:35.650]  that like whoever is submitting the information in this voting app is the person on the registration
[09:35.650 --> 09:44.250]  list. And this counts against like double voting which on the internet is much more,
[09:44.250 --> 09:49.090]  it would be much easier to happen where you could submit something twice and have it accidentally
[09:49.090 --> 09:56.590]  be double counted. And trust is the big third privacy challenge where all votes must be trusted
[09:57.650 --> 10:04.850]  and typically to ensure that trust that means lots of visibility. And so the big,
[10:05.710 --> 10:13.210]  the challenge here overall is combining the secret ballots with trust and you have to somehow
[10:13.210 --> 10:20.490]  like include all of the anonymity expected for voters while still having all of the
[10:20.490 --> 10:27.070]  visibility needed for the overall election and everyone to trust the results. And putting these
[10:27.070 --> 10:33.430]  two together digitally is actually extremely tough and will require some really cool math
[10:33.430 --> 10:36.610]  that Emily will talk about in the second half of this talk.
[10:38.870 --> 10:44.390]  So it's cryptography for online voting is the answer. It's going to solve all of our privacy
[10:44.390 --> 10:51.190]  concerns. And I just want to say big thanks to cryptographer David Chom for inventing a lot of
[10:51.190 --> 10:55.890]  this stuff. I know if you're at the crypto privacy village at DEF CON and have not heard of David
[10:55.890 --> 11:04.200]  Chom before, please look up some of his work. He's done awesome stuff. Okay, so how does Estonia vote
[11:04.200 --> 11:09.800]  online? Especially in the United States, anytime this gets brought up, it's like how is some other
[11:09.800 --> 11:16.920]  country doing it, but we can't. First step's identity. In Estonia, they all have a national
[11:16.920 --> 11:23.300]  ID card that includes a chip on it where they can create digital signatures from, which essentially
[11:23.300 --> 11:30.780]  means their like government issued IDs can act as a form of identity on the internet so they can log
[11:30.780 --> 11:37.700]  in using these chips. Although I believe in the last two years they have switched from hardware
[11:37.700 --> 11:44.120]  chips to an authenticator app, but this still stands that they have some sort of way of converting
[11:44.120 --> 11:53.740]  from your real life presence to your online presence. Secondly, cryptography. Estonia uses
[11:54.080 --> 11:59.240]  a combination of, I think, mixed nets and homomorphic encryption, specifically using
[11:59.240 --> 12:06.300]  ElGamal, and Emily will explain what those are in the later half of this talk.
[12:06.620 --> 12:14.260]  And in terms of trust, Estonia has been voting online since, I think, 2005, and every year they
[12:14.260 --> 12:19.700]  keep making gradual improvements. Anytime security people go check out, there's always something
[12:19.700 --> 12:25.820]  that's broken, which isn't really a surprise, but Estonia has done a good job of fixing the
[12:25.820 --> 12:35.500]  things that are broken, and over time the system's gotten a lot better and hopefully is mostly safe
[12:35.500 --> 12:44.120]  from real threats. They haven't had any giant accusations of election interference, so either
[12:44.120 --> 12:49.640]  that means they haven't caught anyone interfering in their elections, or they've actually been doing
[12:49.640 --> 13:00.560]  a good job. In 2019, almost a quarter million Estonians voted online, which is very
[13:00.560 --> 13:08.220]  impressive numbers and goes to show that this is possible in the future if it is done slowly
[13:08.220 --> 13:18.510]  and correctly. Now, one big thing to watch out for is cryptographic backdoors. These are
[13:18.510 --> 13:26.270]  tough to catch. So Switzerland has been doing online voting, and some researchers looked into
[13:26.270 --> 13:34.690]  their Mixnet shuffle proof and found a naive implementation of the zero-knowledge proof
[13:34.690 --> 13:42.530]  inside of there, which would have allowed for all of the votes to be changed by an attacker.
[13:42.940 --> 13:49.650]  And so just making sure that every last inch of the app needs to be very carefully done,
[13:49.650 --> 13:55.430]  and especially when it comes to cryptography, you need the person who's coding it to be aware
[13:55.430 --> 14:03.040]  of all of the cryptographic assumptions and make sure that they are coding in everything properly.
[14:05.350 --> 14:08.930]  So let's look at voting cryptography around the world.
[14:09.410 --> 14:15.110]  Three big ones I want to point out are in Estonia, Switzerland, and then Moscow has
[14:15.110 --> 14:21.090]  some local elections that are online. And Estonia uses a combination of homomorphic
[14:21.090 --> 14:25.910]  encryption and Mixnets, same thing for Switzerland, and Moscow is using homomorphic
[14:25.910 --> 14:32.410]  encryption and blind signatures. So not too many countries or places around the world
[14:32.410 --> 14:37.530]  have an online option right now. There are a lot more countries that have tried doing this
[14:37.530 --> 14:43.510]  and quit. Belgium, Finland, France, Germany, Ireland, Kazakhstan, other ones, Norway are on
[14:43.510 --> 14:52.970]  the list. And the reasons for quitting are mostly either every security person says it's not very
[14:52.970 --> 15:01.750]  safe, or the voter trust in an online system is just not very high. And one of the most important
[15:01.750 --> 15:09.290]  things for an election is that voters do trust the system. And so even if online voting is safe,
[15:09.290 --> 15:14.650]  if the voters all think that it's not safe, then it's not a good idea to offer an internet
[15:14.650 --> 15:27.500]  voting option. All right, so now I'll talk about the cryptography behind the scenes
[15:27.500 --> 15:34.900]  that makes online voting possible. So some of the considerations we have, the first is security,
[15:34.900 --> 15:39.360]  so preventing attacks, preventing adversaries from tampering with the election,
[15:39.360 --> 15:45.100]  and being able to detect faulty voters and centers. The second is robustness, so no small set of
[15:45.100 --> 15:50.300]  servers should be able to disrupt the election. Accuracy, the results should reflect the way
[15:50.300 --> 15:56.180]  people actually voted. Verifiability, we should be able to verify that the votes are accurate,
[15:56.180 --> 16:01.560]  in particular, individuals should be able to verify that their vote was counted correctly.
[16:01.900 --> 16:07.240]  Confidentiality, keeping votes secret is crucial. Usability for all ages,
[16:07.240 --> 16:12.300]  and speed and efficiency, including casting the votes, processing them, and counting them.
[16:13.460 --> 16:18.220]  So there are three types of cryptographic protocols I'll cover in this talk, homomorphic
[16:18.220 --> 16:24.770]  encryption, mixed networks, and blind signatures. So first, homomorphic encryption.
[16:25.490 --> 16:31.290]  So homomorphic encryption is computation on encrypted data. So this form of encryption
[16:31.290 --> 16:36.070]  actually allows us to do computations on the data when it's in its encrypted state.
[16:36.370 --> 16:40.130]  There's been a lot of research into this area, and it's very promising,
[16:40.130 --> 16:46.310]  because generally our cryptography, when we have our data and it's encrypted, we can't use that
[16:46.310 --> 16:51.130]  data in any way. The only way we can actually make use of it is to decrypt it back into its original
[16:51.130 --> 16:57.110]  form. But with homomorphic encryption, we can actually perform computations on the encrypted
[16:57.110 --> 17:02.750]  data. So this means we could outsource data to cloud environments for processing, all while
[17:02.750 --> 17:09.970]  encrypted. We could perform data analysis, again, while data remains in its encrypted form.
[17:10.350 --> 17:14.810]  And in particular, with election voting, we could obtain a tally of the encrypted votes
[17:14.810 --> 17:20.590]  without actually having to decrypt the individual votes, maintaining privacy the entire time.
[17:23.390 --> 17:29.010]  So to give a little bit more of the mathematics of the scheme,
[17:29.010 --> 17:33.310]  so homomorphic, the term actually comes from a math term called homomorphism,
[17:33.310 --> 17:38.390]  which is a map that preserves some structure. So that's what you can kind of think of homomorphic
[17:38.390 --> 17:44.270]  encryption as doing. It preserves some underlying structure, enough to perform functions on it.
[17:45.630 --> 17:51.110]  So you have a message, you encrypt that message, you perform a function on it,
[17:51.130 --> 17:54.590]  and then you decrypt it. And that would be the same thing as if you
[17:54.590 --> 17:58.470]  apply the function directly to the message.
[18:00.350 --> 18:05.990]  And there's different types of homomorphic encryption. Generally, they are categorized
[18:05.990 --> 18:10.070]  based on what kinds of computations you can perform, whether it's just
[18:10.970 --> 18:17.490]  partial, whether it's addition, multiplication. But we even have fully homomorphic encryption,
[18:17.490 --> 18:24.670]  and that actually can perform arbitrary gates and depth, meaning really arbitrary computations.
[18:25.680 --> 18:29.150]  The only practical and secure fully homomorphic encryption
[18:29.890 --> 18:33.060]  implementations currently are based off of lattices.
[18:35.410 --> 18:41.850]  So lattice cryptography, it's this new, relatively new form of cryptography that is
[18:42.440 --> 18:47.470]  beginning a lot of attention recently, partially because it's quantum secure cryptography.
[18:48.130 --> 18:53.010]  Meaning that it's secure against quantum computers. And it's actually, most of the
[18:53.010 --> 18:59.530]  finalists in the post-quantum cryptography NIST competition are lattice-based. And lattice
[18:59.530 --> 19:04.870]  cryptography has some very strong security assumptions, especially compared to our
[19:04.870 --> 19:11.870]  classical cryptography, like RSA. It's also very flexible and efficient. Generally, the main
[19:11.870 --> 19:16.770]  downside is that it has large key sizes, but depending on the scheme, they're not even always
[19:16.770 --> 19:28.250]  much larger than RSA. So lattice cryptography is very important for the fully homomorphic
[19:28.250 --> 19:32.110]  encryption, but we'll also touch on it when we come back to blind signatures.
[19:32.390 --> 19:34.310]  So I just wanted to mention what that is.
[19:36.510 --> 19:41.110]  And now we'll turn back to homomorphic encryption and voting in particular.
[19:41.170 --> 19:46.170]  So how does it help? So we can tally the votes in the encrypted state,
[19:46.170 --> 19:50.750]  which means we take all the votes in, in their encrypted state, add them together,
[19:50.750 --> 19:55.210]  and then decrypt the result. And because of the homomorphic encryption, we get the same result
[19:55.210 --> 20:01.690]  as if we decrypted them separately and added them together. So this allows voters to maintain
[20:01.690 --> 20:09.590]  their privacy. There's also a protocol that allows voters to verify their votes.
[20:11.070 --> 20:16.030]  And even if we don't use homomorphic encryption in the election, we can still use it for ballot
[20:16.030 --> 20:21.350]  comparison. So ballot comparison is very important in the election process to inspire
[20:21.350 --> 20:26.870]  voter confidence by comparing ballots and the electronic records. And the way we could use
[20:26.870 --> 20:33.130]  homomorphic encryption in this is that we can actually do this comparison on the votes in
[20:33.130 --> 20:38.790]  their encrypted state. So we would inspire voter confidence without actually giving any
[20:38.790 --> 20:44.910]  information about the votes. And how this is done now is the votes are anonymous, but even still
[20:44.910 --> 20:52.690]  with anonymous, with not tying them back to the individuals, you can still find patterns. So it
[20:52.690 --> 20:58.990]  would be more secure if they were in their encrypted state. So next I'll talk about mixed
[20:58.990 --> 21:05.110]  networks. So mixed networks, also called mixnets, are routing protocols that use a chain of proxy
[21:05.110 --> 21:12.290]  servers, mixes, to take in messages from senders and send them to receivers in some random order.
[21:12.290 --> 21:20.090]  Additionally, they use encryption at each state, and it makes it harder to trace. And you can also
[21:20.090 --> 21:27.330]  think of it as being kind of like a Russian doll, some nested encryption going through. So there's
[21:27.330 --> 21:32.310]  two types. There's the decryption mixnet, so that's where you do all the encryption in the
[21:32.310 --> 21:37.930]  beginning, and then you partially decrypt and mix at each stage. There's also re-encryption, where
[21:37.930 --> 21:42.750]  you re-encrypt and mix at each stage and do the full decryption at the last round.
[21:43.490 --> 21:47.770]  And there's also shuffle and decrypt proofs for verifications as well.
[21:51.800 --> 21:57.920]  So lastly, we'll talk about blind signatures. So just to recall, a digital signature provides
[21:57.920 --> 22:03.780]  authenticity, so verifying that you're talking to the person you think you are, verifying a known
[22:03.780 --> 22:09.920]  sender, and integrity, verifying that the message you're receiving has not been altered in transit,
[22:09.920 --> 22:18.520]  maliciously or accidentally. So how it works is one party signs the message and creates a
[22:18.520 --> 22:27.600]  signature with a private key, and then the other party will verify that with a public key.
[22:27.600 --> 22:33.040]  So with blind signatures, it's a digital signature where the message is masked or blinded and then
[22:33.040 --> 22:40.480]  sent and then signed. So blind signatures can then be verified against the original message,
[22:40.480 --> 22:44.640]  the same way digital signatures are. The key difference is that with blind signatures,
[22:45.420 --> 22:51.440]  the person signing them doesn't know the contents of the message. So voting is actually a common
[22:51.440 --> 22:58.300]  analogy with blind signatures. So imagine you have a voter and they complete an anonymous ballot,
[22:58.300 --> 23:01.920]  which they then place in an envelope with their credentials.
[23:02.480 --> 23:07.280]  They hand that envelope to an official who signs it, and the signature of the official
[23:07.280 --> 23:11.580]  imprints through the envelope onto the ballot, and they return that envelope to the voter.
[23:14.210 --> 23:20.370]  The voter then places the ballot in a different unmarked envelope before submitting it.
[23:21.610 --> 23:25.930]  So now the message was correctly and sufficiently signed by an official,
[23:25.930 --> 23:29.090]  without the official having to know the contents of the message.
[23:29.810 --> 23:35.810]  So it provided the authenticity and integrity, but maintained the confidentiality.
[23:37.670 --> 23:43.350]  So to talk a little bit more about the scheme, in a less analogous way, what actually happens.
[23:43.350 --> 23:50.250]  So a user has some message, D, and they blind the message to get a new message, D star.
[23:51.750 --> 23:56.070]  And that's what they send to the signer. The signer then uses the private key to generate
[23:56.230 --> 24:00.470]  a signature, sigma star, for that message, D star, and returns it to the user.
[24:01.350 --> 24:08.030]  The user can then create, from sigma star, a valid signature sigma corresponding to their
[24:08.030 --> 24:13.510]  original message. So any recipient can now validate the signature sigma, as they would
[24:13.510 --> 24:18.490]  any other signature. And the signer gets no information about the contents of the message,
[24:18.490 --> 24:26.510]  or the actual signature. And there's different mathematics behind blind signatures.
[24:27.050 --> 24:33.850]  There are RSA-based options. I wouldn't recommend using these, because
[24:34.870 --> 24:39.090]  with where we are right now, if we're implementing new technology, we want to be looking as far
[24:39.090 --> 24:45.450]  ahead as possible. And in the long run, RSA is not secure against quantum computers, and just
[24:45.450 --> 24:50.970]  is not secure compared to these other types of schemes. But there's also some attacks on the
[24:50.970 --> 24:57.870]  RSA-based blind signatures. So I'm mostly going to focus on the lattice and the multivariate-based.
[24:57.870 --> 25:05.830]  So the lattice-based blind signatures, again, they're post-quantum secure, and they rely on
[25:05.830 --> 25:10.290]  similar problems, similar types of schemes, as those that are finalists in the NIST post-quantum
[25:10.290 --> 25:15.870]  cryptography competition. So we have a lot of faith in these lattice-based schemes, and we can
[25:15.870 --> 25:21.730]  create blind signatures from them. Additionally, multivariate, there's a scheme called the Rainbow
[25:21.730 --> 25:27.030]  Scheme that's a finalist in the NIST post-quantum cryptography signature schemes competition.
[25:27.870 --> 25:34.110]  So again, leads to be post-quantum secure. And we can turn this scheme into a blind signature scheme.
[25:34.410 --> 25:38.890]  And there's a lot of benefits to multivariate cryptography, such as having very fast and short
[25:39.450 --> 25:46.030]  signatures. And this diagram just kind of shows how the Rainbow Scheme works.
[25:46.550 --> 25:54.810]  Essentially, you have a message w, the hashed message, and you recursively obtain
[25:55.450 --> 26:04.170]  inverses of these functions to get the signature z. And then that signature z can be verified by
[26:04.170 --> 26:10.490]  using the public key function and just applying that to see if you get the correct message back.
[26:10.730 --> 26:17.470]  With blind signatures, there's just some extra steps in this process. You use a special function
[26:17.470 --> 26:26.450]  called r that actually, by using that, you create the blind aspect of it. And then you
[26:26.450 --> 26:33.550]  use zero-knowledge proofs at the end as well as part of the verification proof.
[26:33.550 --> 26:39.350]  So a little bit more complicated, but again, very similar mathematics.
[26:41.350 --> 26:47.730]  So in summary, we talked about homomorphic encryption, so computation on encrypted votes,
[26:47.730 --> 26:52.310]  which allows us to tally the votes in their encrypted form. And it can use different
[26:52.310 --> 26:57.750]  types of cryptography, but lattice space is one that is post-quantum secure and very flexible.
[26:58.510 --> 27:02.750]  Then we talked about the mixed networks protocol, where you have a nested series
[27:02.750 --> 27:08.630]  of encryption or re-encryptions and shufflings, and this way you cannot determine which person
[27:08.630 --> 27:13.370]  the vote came from. And there's also a range of underlying public key cryptography mathematics
[27:13.370 --> 27:19.530]  that I didn't go over, but the protocol itself is fairly flexible. And finally, we talked about
[27:19.530 --> 27:25.450]  blind signatures. So this is where you create a valid signature without knowing the contents of
[27:25.450 --> 27:29.730]  the message. So you're verifying authenticity and integrity of a vote while maintaining
[27:29.730 --> 27:34.890]  confidentiality of a voter. And we talked about lattice and multivariate-based schemes.
[27:35.290 --> 27:40.270]  To summarize everything, is it possible theoretically? Yes, eventually. Cryptographers
[27:40.270 --> 27:45.450]  will help us get it right, as well as security people. Is it ready in practice? Not yet in the
[27:45.450 --> 27:51.170]  United States. Let's start small scale, and maybe eventually we'll be able to have more voters vote
[27:51.170 --> 27:59.960]  from their phones. So thank you. Thank you for coming to the talk.
